b'               Office of Inspector General\n\n             Independent Evaluation Report\n\n\n\n\nReview of Federal Trade Commission Implementation of the\n      Federal Information Security Management Act\n                   For Fiscal Year 2004\n\n\n                    October 6, 2004\n\x0c                                                     Independent Evaluation of FTC Information Security Program\n\n\n\n                                     EVALUATION SUMMARY\n\nINTRODUCTION\n\nThe Federal Trade Commission\xe2\x80\x99s (FTC) Office of Inspector General (OIG) completed this Independent\nEvaluation Report along with the IG\xe2\x80\x99s portion of the Office of Management and Budget (OMB) mandated\nExecutive Summary for FY 2004. This OIG Independent Evaluation Report, unlike the Executive\nSummary which focuses on performance measures, provides specific findings and, when applicable,\nrecommendations for resolution.\n\nOn December 17, 2002, the President signed into law the E-Government Act of 2002 (Public Law 107-\n347), which includes Title III, the Federal Information Security Management Act (FISMA) of 2002. The\nFISMA permanently reauthorized the framework laid out in the Government Information Security\nReform Act of 2000, which expired in November 2002. The FISMA outlines the information security\nmanagement requirements for agencies, including the requirement for annual review and independent\nassessment by agency inspectors general. In addition, FISMA includes new provisions aimed at further\nstrengthening the security of the Federal government\xe2\x80\x99s information and information systems, such as the\ndevelopment of minimum standards for agency systems. The annual assessments provide agencies with\nthe information needed to determine the effectiveness of overall security programs and to develop\nstrategies and best practices for improving information security.\n\nThe OIG independent evaluation (i) reviewed the implementation of the Federal Trade Commission\n(FTC) information security program; (ii) assessed agency progress towards correcting weaknesses\naddressed within the 2004 Plan of Action and Milestones (POA&M); (iii) verified and tested information\nsecurity and access controls for the General Support System, the Federal Financial System and the\nPremerger System, and (iv) evaluated FTC\xe2\x80\x99s vulnerability assessment scanning and remediation program.\n\nThe results of these various evaluations are presented in this Independent Evaluation Report along with a\nnumber of recommendations to address vulnerabilities identified during the evaluation.\n\nOBJECTIVES\n\nThe objectives of the independent evaluation of the FTC information security program were to:\n\n    1. Assess compliance with FISMA and related information security policies, procedures, standards\n       and guidelines; and\n    2. Test the effectiveness of information security policies, procedures and practices on a\n       representative subset of the agency\xe2\x80\x99s information systems.\n\nRESULTS IN BRIEF\n\nFISMA defines information security as \xe2\x80\x9c\xe2\x80\xa6 protecting information and information systems from\nunauthorized access, use, disclosure, disruption, modification, or destruction in order to provide (i)\nintegrity -- guarding against improper information modification or destruction, and ensuring information\nnonrepudiation and authenticity; (ii) confidentiality -- preserving authorized restrictions on access and\ndisclosure, including means for protecting personal privacy and proprietary information; and (iii)\navailability -- ensuring timely and reliable access to and use of information.\xe2\x80\x9d\n\nThe OIG found that FTC\xe2\x80\x99s Office of Information and Technology Management (ITM) made extensive\nprogress in developing a mature information security program, and has implemented or addressed OIG-\n\n\n\nOctober 6, 2004                                                                                               i\n\x0c                                                      Independent Evaluation of FTC Information Security Program\n\n\n\nidentified security vulnerabilities discussed in the fiscal year (FY) 2003 Independent Evaluation report.\nFor example the FTC:\n\n    \xe2\x80\xa2    Certified and accredited three of its Major Applications and General Support Systems (GSS).\n    \xe2\x80\xa2    Completed 25 of the 91 issues identified in the POA&M, with plans to address the remaining 66\n         issues.\n    \xe2\x80\xa2    Made improvements in its POA&M tracking and reporting process.\n    \xe2\x80\xa2    Developed policies and procedures that addressed various security issues.\n    \xe2\x80\xa2    Developed a scanning and remediation program for system vulnerabilities.\n    \xe2\x80\xa2    Modified the inventory to include interconnections to other systems.\n\nAs a result of these actions, the OIG believes that the FTC continues to make steady progress in the\ndevelopment of a mature security program in accordance with FISMA requirements.\n\nIn a memorandum to agencies and inspectors general, the OMB-provided guidance on FISMA\nimplementation and reporting. As part of this guidance, OMB requires agencies to identify and report on\n\xe2\x80\x9csignificant deficiencies\xe2\x80\x9d in their information security programs. OMB defines a significant deficiency as\na weakness in an agency\xe2\x80\x99s overall information systems security program or management control structure,\nor within one or more information systems that significantly restricts the capability of the agency to carry\nout its mission or compromises the security of its information, information systems, personnel, or other\nresources, operations, or assets. In this context, the risk is great enough that the agency head and outside\nagencies must be notified and immediate corrective action must be taken. A significant deficiency under\nFISMA is to be reported as a material weakness under the Federal Managers Financial Integrity Act\n(FMFIA).\n\nUnlike in prior years the OIG found no significant deficiencies this year. However, the OIG identified\nseveral findings that merit management\xe2\x80\x99s attention. These various conditions are discussed in the body of\nthe report.\n\n\n\n\nOctober 6, 2004                                                                                               ii\n\x0c                                                                           Independent Evaluation of FTC Information Security Program\n\n\n\n\n                                                       TABLE OF CONTENTS\n\n\n\n\nEvaluation Summary ................................................................................................................... i\n\n1      Background ........................................................................................................................1\n2      Purpose...............................................................................................................................1\n3      Scope and Methodology....................................................................................................1\n4      Certification and Accreditation Findings.........................................................................2\n       4.1 Certification and Accreditation (C&A) ..................................................................................... 3\n       4.2 C&A Package Review............................................................................................................... 4\n       4.3 Security Plans ............................................................................................................................ 5\n       4.4 Risk Assessments ...................................................................................................................... 7\n       4.5 Privacy Impact Assessments ..................................................................................................... 8\n5      Independence .....................................................................................................................9\n6      Security Policies and Procedures ..................................................................................10\n       6.1 Policy Development ................................................................................................................ 10\n       6.2 Review of the FTC Administrative Manual Chapter 1............................................................ 11\n       6.3 Media Handling Policy............................................................................................................ 12\n7      Security Awareness Training..........................................................................................13\n8      Security Incident Response ............................................................................................13\n9      Continuity of Operations Planning.................................................................................14\n       9.1 Disaster Recovery Plan ........................................................................................................... 14\n       9.2 Memorandums of Agreement (MOA) and Memorandums of Understanding (MOU) ........... 15\n10     Plan of Action and Milestones (POA&M) .......................................................................16\n11     Miscellaneous Findings...................................................................................................17\n       11.1 Separation of Duties ................................................................................................................ 17\n12     Testing ..............................................................................................................................17\n       12.1 Internal and External Vulnerability Assessment ..................................................................... 17\n       12.2 Logical Access Controls.......................................................................................................... 18\n       12.3 Managerial Access Controls\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.19\n       12.4 Controlling Access for Interagency Transfers\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.20\n       12.5 Access to Test Data\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa621\n\n\n\n\nOctober 6, 2004                                                                                                                                      iii\n\x0c                                                     Independent Evaluation of FTC Information Security Program\n\n\n\n1        Background\n\nOn December 17, 2002, the President signed into law the E-Government Act of 2002 (Public Law 107-\n347), which includes Title III, the Federal Information Security Management Act (FISMA) of 2002.\nFISMA permanently reauthorized the framework laid out in the Government Information Security\nReform Act of 2000, which expired in November 2002, and outlines information security management\nrequirements for agencies, including the requirement for annual review and independent assessment by\nagency inspectors general. In addition, FISMA includes new provisions aimed at further strengthening\nthe security of the Federal government\xe2\x80\x99s information and information systems, such as the development\nof minimum standards for agency systems. The annual assessments provide agencies with the\ninformation needed to determine the effectiveness of overall security programs and to develop strategies\nand best practices for improving information security.\n\nThe Office of Inspector General (OIG) independent evaluation (i) reviewed the implementation of the\nFederal Trade Commission (FTC) information security program; (ii) assessed agency progress towards\ncorrecting weaknesses addressed within the 2004 Plan of Action and Milestones (POA&M); (iii) verified\nand tested information security and access controls for the General Support System (GSS), the Federal\nFinancial System (FFS), and the Premerger System, and (iv) evaluated FTC\xe2\x80\x99s vulnerability assessment\nscanning and remediation program.\n\n\n2        Purpose\n\nThe objectives of the independent evaluation of the FTC information security program were to:\n\n    1. Assess compliance with FISMA and related information security policies, procedures, standards,\n       and guidelines; and\n    2. Test the effectiveness of information security policies, procedures and practices of a\n       representative subset of the agency\xe2\x80\x99s information systems.\n\n\n3        Scope and Methodology\n\nThe scope of this independent evaluation of the FTC FY 2004 information security program included:\n\n    \xe2\x80\xa2    Review of FTC major applications and general support systems\n    \xe2\x80\xa2    POA&M review for completeness and accuracy\n    \xe2\x80\xa2    Security controls testing\n\nThe OIG reviewed the following FTC systems and/or system components in detail:\n\n    \xe2\x80\xa2    GSS (FTC Enterprise System and E-mail)\n    \xe2\x80\xa2    Hart Scott Rodino Premerger Tracking System Including Electronic Filing Process (Premerger)\n    \xe2\x80\xa2    Federal Financial System (FFS) owned by Department of Interior. FTC OIG also relied on DOI\n         OIG\xe2\x80\x99s Review of Information System Security Over Systems & Applications used by the National\n         business Center to Provide Services to Non-Department of Interior Clients (Report No. A-EV-\n         OSS-0094-2004) for this portion of the study.\n\nThe OIG did not review physical security controls in this evaluation.\n\n\n\n\nOctober 6, 2004                                                                                              1\n\x0c                                                     Independent Evaluation of FTC Information Security Program\n\n\n\nTo accomplish the review objectives, the OIG conducted interviews with Information and Technology\nManagement (ITM) staff, including the Chief Information Officer (CIO), the Senior Agency Information\nSecurity Officer, other members of the CIO staff and FTC program officials. The team reviewed\ndocumentation provided by the FTC including security plans, risk assessments, the Disaster Recovery\nPlan (DRP), Certification and Accreditation (C&A) packages, Privacy Impact Assessments and other\nsecurity related policies. The OIG also reviewed ITM\xe2\x80\x99s vulnerability scanning and remediation program.\n\nAll analyses were performed in accordance with guidance from the following:\n\n    \xe2\x80\xa2    Office of Management and Budget (OMB) Memorandum M-04-25, Reporting Instructions for the\n         Federal Information Security Management Act (8/23/04)\n    \xe2\x80\xa2    National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide\n         for Developing Security Plans for Information Technology Systems, December 1998\n    \xe2\x80\xa2    NIST (SP) 800-26, Self-Assessment Guide for Information Technology Systems, August 2001\n    \xe2\x80\xa2    NIST SP 800-30, Risk Management Guide for Information Technology Systems\n    \xe2\x80\xa2    NIST SP 800-34, Contingency Planning Guide for Information Technology Systems\n    \xe2\x80\xa2    NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information\n         Systems, May 2004\n    \xe2\x80\xa2    Federal Information Processing Standards Publication (FIPS PUB) 199, Standards for Security\n         Categorization of Federal Information and Information Systems, February 2004\n    \xe2\x80\xa2    Quality Standards for Inspection issued by the President\xe2\x80\x99s Council on Integrity and Efficiency\n    \xe2\x80\xa2    GAO, Federal Information System Controls Audit Manual, Volume I: Financial Statement\n         Audits, January 1999\n    \xe2\x80\xa2    The FTC/OIG Audit Guidance\n    \xe2\x80\xa2    OMB Memorandum M-03-22 Guidance for Implementing Privacy Provisions of the E-\n         Government Act of 2002\n    \xe2\x80\xa2    OMB Guidance M-04-15 Guidance Development of Homeland Security Directive (HSPD) \xe2\x80\x93 7\n         Critical Infrastructure Protection Plans to Protect Federal Infrastructure and Key Resources\n\nFieldwork was conducted between May 27 and September 20, 2004.\n\n\n4        Certification and Accreditation Findings\n\nThe OIG found that ITM made extensive progress in developing a mature information security program,\nand has implemented or addressed OIG-identified security vulnerabilities discussed in the fiscal year (FY)\n2003 Independent Evaluation report. For example the FTC:\n\n    \xe2\x80\xa2    Certified and accredited three of its Major Applications (MA) and General Support Systems\n         (GSS), and has made substantial progress in completing C&A\xe2\x80\x99s in the remaining four systems.\n    \xe2\x80\xa2    Completed 25 of the 91 issues identified in the POA&M, with plans to address the remaining 66\n         issues.\n    \xe2\x80\xa2    Made improvements in its POA&M tracking and reporting process.\n    \xe2\x80\xa2    Developed policies and procedures that addressed various security issues.\n    \xe2\x80\xa2    Developed a scanning and remediation program for system vulnerabilities.\n    \xe2\x80\xa2    Modified the inventory to include interconnections to other systems.\n\nIn addition to these improvements, FTC also made improvements in other areas as well. As of mid-June\n2004, the ITM Operations Section assumed responsibility for all production systems. Prior to this,\ndevelopers had substantial privileges on production applications and data. All default system passwords\n\n\n\nOctober 6, 2004                                                                                              2\n\x0c                                                          Independent Evaluation of FTC Information Security Program\n\n\n\nhave been changed and Change Management procedures are used to manage changes to the system.\nHardware is located in the FTC Computer Room. Software is stored in a locked room. All new and\nrevised hardware and software are authorized, tested, and approved prior to implementation.\n\nFTC also made improvements in the area of data integrity. Review of a workstation, mail server and\nfirewall server indicated that all three of the devices had virus-scanning software loaded on them. For\nintrusion detection, the FTC purchased three Proventia devices and installed them on the FTC\nInfrastructure network.\n\nAudit logs are now being used to track activity involving access to and modification of sensitive\ninformation or critical files. Audit logs are flagged to an e-mail. Oracle and Solaris logs are reviewed\ndaily and Windows logs are reviewed on an as-needed basis. Premerger\xe2\x80\x99s log files are used for tracking\nall activity on the Transactions and Amount Paid tables. FFS external security and System Management\nFacility (SMF) provides comprehensive audit and reporting capabilities and FFS internal security\n(security logging options) provides audit capabilities.\n\nBased upon a review of an independent assessment performed by the Department of Interior\xe2\x80\x99s OIG, it was\ndetermined that DOI\xe2\x80\x99s National Business Center (NBC), the organization responsible for the Federal\nFinancial System (FFS), has security measures and procedures in place to control and track installation of,\nand updates to, this application. There is an automated configuration management and tracking system in\nplace in the Financial Systems Division, NBC, for the management of the baseline FFS software\ncomponents and file conversion routines which are supplied by American Management Systems via the\nReston National Business Center.\n\nNotwithstanding progress made by ITM in the areas identified above, the OIG found other areas where\nimprovements are still needed. While no significant deficiencies were found according to the FY2004\ndefinition provided by OMB, the OIG did identify the following reportable conditions. 1\n\n\n4.1      Certification and Accreditation (C&A)\n\nOMB A-130, Appendix III, requires that major applications and general support systems undergo a\nsecurity certification and accreditation review every three years or sooner if major modifications are made\nto the system.\n\nThe National Institute of Standards and Technology (NIST) Special Publication 800-37, Guide for\nSecurity Certification and Accreditation of Federal Information Systems (SP 800-37), states that the\nsecurity certification package should contain a security plan (based on a risk assessment), a vulnerability\nassessment report, and a POA&M. The accreditation letter itself should contain the accreditation\ndecision, supporting rationale, and terms and conditions. Further, OMB guidance states that for non-\nnational security systems, development of an IT security program is to be consistent with NIST\ndocuments and Federal Information Processing Standards (FIPS). Any evaluation of the agency IT\nsecurity program implementation should evaluate the consistency with NIST.\n\n\n\n1\n  A significant deficiency, according to OMB guidance, is a weakness in an agency\xe2\x80\x99s overall information systems\nsecurity program or management control structure, or within one or more information systems, that significantly\nrestricts the capability of the agency to carry out its mission or compromises the security of its information. A\nreportable condition exists when a security or management control weakness does not rise to the level of a\nsignificant deficiency, yet is still important enough to be reported to internal management.\n\n\nOctober 6, 2004                                                                                                     3\n\x0c                                                         Independent Evaluation of FTC Information Security Program\n\n\n\nFinding: Not all of the FTC\xe2\x80\x99s major applications and general support systems are certified and\naccredited.\n\nTable 4-1 identifies the six major applications (MA), one general support system (GSS) and the security-\nrelated documentation available for review at the time of this evaluation. Systems identified in bold were\nreviewed by OIG in this year\xe2\x80\x99s FISMA review.\n\n                               Table 4-1 \xe2\x80\x93 C&A Security Documentation\n                                                                 ST&E or                      Privacy\n                                   Risk\n      System         System                     Security       Vulnerability    POA&M         Impact          C&A\n                                Assessment\n       Name           Type                       Plan          Assessment                   Assessment       Letters\n                                  Report\n                                                                  Report\nDocumentum           MA            Draft         Draft             No             N/A           No            No\nFFS                  MA            Yes           Yes               Yes            Yes           Yes           Yes\nMMS                  MA            Draft         Yes               No             N/A           No            No\nCIS                  MA             No           Yes               No             N/A           No            No\nPre-Merger           MA            Yes           Yes               Yes            No            Yes           Yes\nDo Not Call          MA            Yes           Yes               No             No            No            Yes\nInfrastructure       GSS           Yes           Yes               No             N/A           No            No\n\nAt the time fieldwork was completed, three of FTC\xe2\x80\x99s major applications were certified and accredited\n(DNC, Premerger and FFS). Do Not Call and Premerger are owned and operated by the FTC. FFS, a\nDepartment of Interior system used by the FTC is owned and operated by the Department of Interior\xe2\x80\x99s\nNational Business Center (NBC). ITM reported to the OIG that the remaining four applications are\nscheduled to have their C&A\xe2\x80\x99s completed by September 30, 2004.\n\nNot having systems certified and accredited could result in systems going into the production\nenvironment with undetected and uncorrected vulnerabilities. These vulnerabilities could be exploited\nand the data and systems could be compromised.\n\nRecommendation:\n\n          As the four systems that have not yet received a C&A are scheduled to have their reviews\n          completed by 9/30/04, and as these weaknesses have already been placed on a prior POA&M, no\n          OIG recommendation is necessary.\n\n\n4.2       C&A Package Review\n\nSP 800-37, defines security certification as a comprehensive assessment of management, operational, and\ntechnical security controls in an information system, made in support of security accreditation. The\nguidance also states that the security certification package should contain:\n\n      \xe2\x80\xa2   A security plan (based on a risk assessment)\n      \xe2\x80\xa2   A security assessment report\n      \xe2\x80\xa2   A POA&M\n\nAdditionally, the guidance states that all certifications and accreditations initiated after finalization of\nNIST Special Publication 800-37 must be consistent with 800-37. SP 800-37 was only recently finalized\nin May 2004.\n\n\n\nOctober 6, 2004                                                                                                   4\n\x0c                                                      Independent Evaluation of FTC Information Security Program\n\n\n\n\nFinding: C&A Packages do not fully conform to NIST 800-37 or FTC Certification and Accreditation\nPolicy guidance.\n\nFTC\xe2\x80\x99s current C&A policy, which closely monitors NIST guidance, was implemented June 30, 2004. It\nstates that the C&A package should contain a system security plan, risk assessment report, a security\ntesting & evaluation report (or vulnerability assessment report), privacy impact assessment (if required),\nSystem Plan of Action & Milestones and a certifier\xe2\x80\x99s statement. The C&A package contents required by\nNIST and FTC are summarized in table 4.2.\n\n                            Table 4-2 \xe2\x80\x93 C&A Package Requirements\n          NIST C&A Package Requirements            FTC C&A Package Requirements\n System Security Plan including related documents      System Security Plan\n System Security Assessment Report                     System Risk Assessment\n POA&M                                                 POA&M\n                                                       Privacy Impact Assessment\n                                                       Security Test & Evaluation Report\n\nFTC accredited the Do Not Call system on July 1, 2004, contrary to agency policy. Specifically, the Do\nNot Call C&A package does not contain a Security Test & Evaluation (ST&E). The result of certifying\nand accrediting a system without thorough testing increases the possibility that the system may have gone\ninto production with unidentified problems.\n\nHowever, the C&A package for Do Not Call did contain a security plan, a risk assessment and an\nunsigned Memorandum of Understanding for AT&T Government Solutions Inc. The OIG did not take\nissue with the accreditation despite the missing documentation for two reasons. First, we felt that the\nquality of the Risk Assessment and the Security Plan was high. Secondly, according to the DNC\nPOA&M, a systems test and evaluation is scheduled for completion on January 30, 2005.\n\nRecommendation:\n\n           As management has recorded the weakness on the DNC system POA&M and has scheduled to\n           complete the ST&E by January 30, 2005, no OIG recommendation is necessary.\n\n\n4.3        Security Plans\n\nAccording to NIST SP 800-18, the security plan should address:\n\n      \xe2\x80\xa2    System Identification\n      \xe2\x80\xa2    Interconnections to Other Systems\n      \xe2\x80\xa2    Rules of Behavior\n      \xe2\x80\xa2    System Sensitivity\n      \xe2\x80\xa2    Management Controls\n      \xe2\x80\xa2    Operational Controls\n      \xe2\x80\xa2    Technical Controls\n\nSP 800-37 states that the security plan can also include other security-related documents as supporting\nappendices or references. These documents include:\n\n\n\nOctober 6, 2004                                                                                               5\n\x0c                                                        Independent Evaluation of FTC Information Security Program\n\n\n\n    \xe2\x80\xa2    Risk Assessment\n    \xe2\x80\xa2    Privacy Impact Assessment\n    \xe2\x80\xa2    Contingency Plan\n    \xe2\x80\xa2    Incident Response Plan\n    \xe2\x80\xa2    Configuration Management Plan\n    \xe2\x80\xa2    Security Configuration Checklists\n    \xe2\x80\xa2    System Interconnection Agreements\n\nFinding: The security plans lack selected pieces of the information required by NIST SP 800-18, Guide\nfor Developing Security Plans for Information Technology.\n\nSecurity plans are in place for all FTC major applications, Infrastructure, and FFS. FTC has updated four\nplans which are pending certification: Infrastructure, MMS, Documentum, and CIS. Although, the\nsecurity plans address many of the major areas identified in SP 800-18, review of these documents found\nthat selected sections were not fully addressed. For example, review of the security plan for Infrastructure\n(Federal Trade Commission Enterprise Network Security Plan), found:\n\n    \xe2\x80\xa2    Rules of Behavior (ROB) are not clear about the consequences of behavior that is not consistent\n         with the rules; ROB do not include a statement and signature and date line that the user\n         acknowledges receipt, understands responsibilities, and will comply with the rules; ROB\n         signatures are not kept on file for all users.\n    \xe2\x80\xa2    Data integrity controls, identification and authentication, logical access controls, and auditing are\n         not discussed in sufficient detail.\n    \xe2\x80\xa2    The email portion of Infrastructure is not discussed in sufficient detail.\n\nThe Premerger security plan addresses all of the areas that NIST SP 800-18 says should be addressed in a\nsecurity plan with the exceptions of Security Awareness Training and Incident Response Capability.\nHowever, many of the areas addressed in the security plan are not addressed in detail. Review of the\nPremerger security plan identified the following two weaknesses:\n\n    \xe2\x80\xa2    Rules of Behavior are not clear about the consequences of behavior that is not consistent with the\n         rules; Rules of Behavior do not include a statement and signature and date line that the user\n         acknowledges receipt, understands responsibilities and will comply with the rule; Rules of\n         Behavior are not kept on file for all users.\n    \xe2\x80\xa2    The identification and authentication section needs to discuss password controls.\n\nThe security plans were finalized and approved but were not reviewed by ITM for compliance with NIST\nSP 800-18.\n\nNot having sufficient detail in the security plans makes it difficult for agency C&A officials to efficiently\ndetermine if a system contains all the necessary security controls. Again, not including sufficient security\ndocumentation as part of the security plan makes it difficult to gather all the required information to\ncertify and accredit systems.\n\nRecommendation:\n\n         1. OIG recommends that ITM develop security plans that include Rules of Behavior and which\n         provide sufficient documentation to allow for an efficient C&A process.\n\n\n\n\nOctober 6, 2004                                                                                                 6\n\x0c                                                       Independent Evaluation of FTC Information Security Program\n\n\n\n4.4       Risk Assessments\n\nOMB A-130, Appendix III, requires that risk assessments be performed on systems at least every three\nyears or whenever the system undergoes a C&A and/or significant modification. NIST SP 800-30, Risk\nManagement Guide for Information Technology Systems, August 2001, provides guidance on conducting\nrisk assessments.\n\nThe effect of not having up to date risk assessments on all systems is that the threats, vulnerabilities and\nrisks associated with running a system may not be completely understood. For example security plans are\nsupposed to be developed from the findings of the risk assessment process. Not having completed risk\nassessments could affect the quality of the security plan. This could have the ultimate effect of:\n\n      \xe2\x80\xa2   Impacting the agency\xe2\x80\x99s ability to perform some of its mission responsibilities effectively\n      \xe2\x80\xa2   Making it difficult for management to make well-informed risk management decisions to justify\n          expenditures that are part of the IT budget\n      \xe2\x80\xa2   Reducing the thoroughness of the certification and accreditation process\n\nFinding: Not all systems have risk assessments or current risk assessments.\n\nThe OIG found that Premerger, Do Not Call (DNC) and Infrastructure General Support System (GSS)\n(Infrastructure) had finalized and documented risk assessments. FFS, the system owned by DOI, had a\nrisk assessment that was four years old. The OIG also confirmed that draft risk assessments existed for\nDocumentum and MMS. Plans were developed for conducting a risk assessment for the CIS.\n\nRecommendation:\n\n          2. OIG recommends that ITM finalize risk assessments for all systems lacking up-to-date reviews.\n\n\nNIST SP 800-30 recommends that risk assessments include an executive summary, and describe the risk\nassessment methodology used. The risk assessment should identify the threats associated with operating\nthe system. The risk assessment should also contain system-related information to include:\n\n      \xe2\x80\xa2   Hardware\n      \xe2\x80\xa2   Software\n      \xe2\x80\xa2   System Interfaces\n      \xe2\x80\xa2   Data and information\n      \xe2\x80\xa2   Persons who support the system\n      \xe2\x80\xa2   System mission\n      \xe2\x80\xa2   System and data criticality\n      \xe2\x80\xa2   System and data sensitivity\n\nAdditional information that NIST recommends be included in the assessment includes, but is not limited\nto:\n\n      \xe2\x80\xa2   Functional requirements of the system\n      \xe2\x80\xa2   Users of the system\n      \xe2\x80\xa2   System security policies (organizational policies, federal requirements, laws, and industry\n          practices\n      \xe2\x80\xa2   System security architecture\n\n\nOctober 6, 2004                                                                                                7\n\x0c                                                       Independent Evaluation of FTC Information Security Program\n\n\n\n      \xe2\x80\xa2   Current network topology\n      \xe2\x80\xa2   Physical/environmental security controls\n      \xe2\x80\xa2   Management controls\n      \xe2\x80\xa2   Operational controls\n      \xe2\x80\xa2   Technical controls\n\nA more extensive list can be found in NIST SP 800-30.\n\nFinding: Some of the existing risk assessments do not address all required areas.\n\nThe Infrastructure risk assessment includes a vulnerability scan report generated from a vulnerability\nassessment scan conducted by Unisys on July 26, 2004. According to the risk assessment, Internet\nSecurity Systems (ISS) Internet Scanner and Nessus were used to conduct the scans for Windows and\nUnix devices respectively. Additionally, Foundstone Superscan and nmap were used to map and scan\nports.\n\nReview of this risk assessment found that it addressed most of the areas identified in SP 800-30.\nHowever, other areas were not addressed. For example:\n\n      \xe2\x80\xa2   The risk assessment does not identify the value of the information and system assets falling\n          within the scope of the risk assessment\n      \xe2\x80\xa2   The physical and environmental security controls are not addressed\n      \xe2\x80\xa2   The user community is not described\n\nThe Premerger risk assessment was originally prepared to address the e-filings portion of Premerger. It\nappears that the risk assessment methodology only used a scanning tool to assess the system.\nReview of the Premerger risk assessment also found that it does not:\n\n      \xe2\x80\xa2   Define the scope of the risk assessment effort\n      \xe2\x80\xa2   Address management and operational controls\n      \xe2\x80\xa2   Identify threats that could affect the system\n\nRecommendation:\n\n          3. OIG recommends that ITM Expand risk assessments to address all areas in NIST SP 800-30\n          when the next scheduled risk assessment is performed for the aforementioned systems.\n\n\n4.5       Privacy Impact Assessments\n\nAccording to OMB Memorandum M-03-22 OMB Guidance for Implementing the Privacy Provisions of\nthe E-Government Act of 2002, a Privacy Impact Assessment (PIA) must be conducted before developing\nor procuring IT systems or projects that collect, maintain or disseminate information in identifiable form\nfrom or about members of the public; or before initiating, consistent with the Paperwork Reduction Act, a\nnew electronic collection of information in identifiable form for 10 or more persons (excluding agencies,\ninstrumentalities or employees of the Federal government). A PIA is used to analyze how information is\nhandled (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding\nprivacy; (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in\nidentifiable form in an electronic information system; and (iii) to examine and evaluate protections and\nalternative processes for handling information to mitigate potential privacy risks.\n\n\nOctober 6, 2004                                                                                                8\n\x0c                                                       Independent Evaluation of FTC Information Security Program\n\n\n\n\nFinding: Not all FTC systems have a Privacy Impact Assessment.\n\nAt the completion of fieldwork only Premerger and FFS had PIAs. Review of the Exhibit 300\xe2\x80\x99s found\nthat PIAs were not completed for the remaining systems. ITM reported that it plans to develop PIAs for\nCIS, Documentum, and a new system in development called Comment Works. ITM also reported that it\nplans to prepare memorandums for applications that do not require PIAs. These memorandums will state\nthat the system does not contain or process personally identifiable information and does not require PIAs.\n\nNot having completed PIAs puts FTC in noncompliance with OMB guidance. The potential exists that\npersonally identifiable information could be mishandled or released.\n\nRecommendation:\n\n         No recommendation is necessary as ITM has recognized the requirement to complete PIAs and is\n         in the process of completing them.\n\n\n5        Independence\n\nSP 800-37 identifies the senior agency information security officer as the agency official responsible for\n(i) carrying out the Chief Information Officer responsibilities under FISMA; (ii) possessing professional\nqualifications, including training and experience, required to administer the information security program\nfunctions; (iii) having information security duties as that official\xe2\x80\x99s primary duty; and (iv) heading an\noffice with the mission and resources to assist in ensuring agency compliance with FISMA. The senior\nagency information security officer (or supporting staff member) may also serve as the accrediting\nofficial\xe2\x80\x99s designated representative.\n\nThe certification agent is an individual, group, or organization responsible for conducting a security\ncertification, or comprehensive assessment of the management, operational, and technical security\ncontrols in an information system to determine the extent to which the controls are implemented correctly,\noperating as intended, and producing the desired outcome with respect to meeting the security\nrequirements for the system. The certification agent also provides recommended corrective actions to\nreduce or eliminate vulnerabilities in the information system. Prior to initiating the security assessment\nactivities that are part of the certification process, the certification agent provides an independent\nassessment of the system security plan to ensure the plan provides a set of security controls for the\ninformation system that is adequate to meet all applicable security requirements.\n\nNIST guidance recommends that the certification agent be in a position that is independent from the\npersons directly responsible for the development of the information system, and the day-to-day operations\nof the system. The certification agent should also be independent of those individuals responsible for\ncorrecting security deficiencies identified during the security certification.\n\nFinding: The Senior Agency Information Security Officer position may not be sufficiently independent\nto act as the Certification Agent.\n\nHaving the security officer serve as the certification agent creates a potential conflict of interest. The\nsecurity officer represents the CIO who is also the accrediting official. SP 800-37 states that the\ncertification agent should be in a position that is independent from the persons directly responsible for the\ndevelopment of the information system, and the day-to-day operations of the system.\n\n\n\nOctober 6, 2004                                                                                                9\n\x0c                                                        Independent Evaluation of FTC Information Security Program\n\n\n\nThis conflict stems from the fact that the FTC is a relatively small organization in which IT management\nis centralized through the Office of the CIO. Thus, likely alternatives to this review structure are few.\nHowever, the current structure has the potential, according to NIST guidance, to allow vulnerabilities to\ngo uncorrected or systems to be put in production prior to needed testing because of pressures to accredit\na system or put it in production before its ready.\n\nITM informed the OIG that it agrees with the finding and has taken steps to involve program staff in the\ncertification process whereby program staff are held accountable for their system certifications. The ITM\nsecurity officer reviews and signs the certification and forwards it to the accreditation official. The OIG\ncautions that, although a step in the right direction, program staff may not be technically skilled to\nidentify all vulnerabilities. This responsibility falls to the Senior Systems Security Officer, who, as stated\nabove, could succumb to pressure from the accreditation official. The OIG will monitor the extent to\nwhich program officials are involved in the C&A process and the results of the program staff-approved\ncertifications to determine whether potential conflicts are observed.\n\nRecommendation:\n\n          No recommendation is necessary as ITM has taken steps to include an independent group (system\n          owners) in the certification process. It is our understanding that this separation of duties will be\n          placed on the POA&M to assist the OIG in tracking and monitoring this outcome.\n\n\n6         Security Policies and Procedures\n\n6.1       Policy Development\n\nNIST 800-37 defines security certification as a \xe2\x80\x9ccomprehensive assessment of the management,\noperational, and technical security controls in an information system, made in support of security\naccreditation, to determine the extent to which the controls are implemented correctly, operating as\nintended, and producing the desired outcome with respect to meeting the security requirements for the\nsystem.\xe2\x80\x9d Additionally, SP 800-37 states that \xe2\x80\x9c(t)he Security Certification Phase consists of two tasks: (i)\nsecurity control assessment; and (ii) security certification documentation. The purpose of this phase is to\ndetermine the extent to which the controls in the information system are implemented correctly, operating\nas intended and producing the desired outcome with respect to meeting the security requirements for the\nsystem. SP 800-37 also identifies the following assessments as sources to use in the certification process:\n\n      \xe2\x80\xa2   Commercial product testing and evaluation programs\n      \xe2\x80\xa2   Privacy impact assessments\n      \xe2\x80\xa2   Physical security assessments\n      \xe2\x80\xa2   Self-assessments\n      \xe2\x80\xa2   Internal and external audits\n\nThe C&A package should contain the following:\n\n      \xe2\x80\xa2   Approved system security plan\n      \xe2\x80\xa2   Security assessment report\n      \xe2\x80\xa2   Plan of action and milestones\n\nA memorandum from OMB\xe2\x80\x99s Office of E-Government and Information Technology to the CIO Council,\nGuidance To Assist Agencies With Certification And Accreditation Efforts, states that certification should\n\n\nOctober 6, 2004                                                                                                10\n\x0c                                                     Independent Evaluation of FTC Information Security Program\n\n\n\ncontain sufficient supporting documentation describing what has been tested and results of the tests. If\nthe test results identify security controls requiring implementation or modification, a plan documenting\nthe security controls to be implemented must be developed as well. Agencies may also use another\ncertification review methodology provided the set of requirements covered in 800-26 are addressed.\n\nFinding: FTC\xe2\x80\x99s C&A policy does not require extensive testing of security controls.\n\nThe FTC made significant progress in developing policies and procedures to enhance its IT security\nprogram. For example, FTC developed the following policies between 2003 and 2004:\n\n      \xe2\x80\xa2   Computer incident response team policy\n      \xe2\x80\xa2   Remote access\n      \xe2\x80\xa2   Certification and accreditation policies\n      \xe2\x80\xa2   Password policy\n      \xe2\x80\xa2   Vulnerability scan policy\n      \xe2\x80\xa2   Peer to peer policy\n      \xe2\x80\xa2   Inactive account management\n      \xe2\x80\xa2   E-mail management policy\n\nAdditionally, the FTC Administrative Manual, Section 550, Chapter 1, was updated in June 2004. It acts\nas an overarching guide for the agency\xe2\x80\x99s overall IT security. ITM also documented the formal and\ninformal processes for identifying the need for and developing policies and procedures. However, the\nOIG identified other areas that require updates or do not conform to OMB or NIST guidance.\n\nSpecifically, FTC\xe2\x80\x99s Certification and Accreditation Policy states that for purposes of Security Testing and\nEvaluation a vulnerability scan using approved vulnerability scanning software is sufficient to meet the\nrequirement for security testing. As agency policy excludes the need to test for management and\noperational controls it is not in keeping with NIST guidance.\n\nNotwithstanding the shortfall in agency policy, ITM has contracted with SAIC to perform its ST&E\xe2\x80\x99s.\nThese tests and evaluations, according to ITM will be based on analysis that will include document\nreviews, scans and interviews to better address management and operational controls. However, as no\nresults were available at the conclusion of fieldwork, we could not validate the methodology or the results\nof the ST&E\xe2\x80\x99s.\n\nRecommendation:\n\n          4. OIG recommends that ITM modify its C&A policy to include the testing of management and\n          operational controls as required by NIST guidance.\n\n\n6.2       Review of the FTC Administrative Manual Chapter 1\n\nNIST SP 800-18 states \xe2\x80\x9cdocumentation should be coordinated with the GSS and/or network managers to\nensure that adequate applications and installations documentation are maintained to provide continuity of\noperations.\xe2\x80\x9d Additionally, security best practices recommend that administrative documentation be up to\ndate.\n\nFinding: Sections of the FTC Administrative Manual Chapter 1 \xe2\x80\x93 Information and Technology\nServices, are outdated.\n\n\n\nOctober 6, 2004                                                                                             11\n\x0c                                                       Independent Evaluation of FTC Information Security Program\n\n\n\n\nReview of the FTC Administrative manual found that the Section 550, Computer Security, was updated in\nJune 2004. It addresses the roles and responsibilities of key personnel, information system and\napplication access controls, information security awareness training, and FTC\xe2\x80\x99s information technology\nusage policies and practices. Section 550 also addresses security requirements for GSS and MAs and\nidentifies FTC\xe2\x80\x99s MAs and GSSs. The areas of desktop software management and safeguarding sensitive\nand mission critical data are also discussed.\n\nNotwithstanding these positive steps, the OIG also found that a number of sections were outdated in\nFTC Administrative Manual Chapter 1 \xe2\x80\x93 Information and Technology Services. Specifically, Section 200,\nITM Training Resources, describes the IT training options offered by ITM. Training subjects range from\noutdated to current topics, e.g., the Rolm telephone system, computer literacy, FTC core software packages\nand corporate databases residing on the agency\xe2\x80\x99s central computer. This section does not discuss the IT\nSecurity awareness course offered by ITM. Additionally, the document lists courses for systems that are\nno longer used at FTC. For instance Section 200 offers a course for the Office of the Secretary Control and\nReporting System (OSCAR). OSCAR was merged with MMS in 2003 and is no longer separately\nidentified.\n\nSection 300, Computer Resources identifies the variety of computer resources available at the FTC. This\nsection also discusses remote access and appropriate use of FTC IT assets. It does not include FTC\xe2\x80\x99s\nVirtual Private Network (VPN) as a means of remote access. Not all of the major applications identified\nin Section 550 appear on the list of major mission support systems identified in Section 450. For\ninstance, Do Not Call and Documentum are listed as MAs in Section 550 but are not mentioned in the list\nof major support systems identified in Section 450. Additionally, OSCAR is listed as a major mission\nsupport system in Section 450.\n\nWith outdated policies, Administrative Manual readers risk wasting time and effort learning outdated\nprocesses and procedures.\n\nRecommendation:\n\n          5. OIG recommends that ITM update FTC Administrative Manual sections 200, 300 and 450 to\n          reflect the FTC\xe2\x80\x99s current training classes, VPN as a means of remote access, and to capture\n          FTC\xe2\x80\x99s current operating environment.\n\n\n6.3       Media Handling Policy\n\nNIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology\nSystems, requires that agencies address areas such as:\n\n      \xe2\x80\xa2   Procedures for ensuring that only authorized users pick up, receive, or deliver input and output\n          information and media\n      \xe2\x80\xa2   Audit trails for receipt of sensitive inputs/outputs\n      \xe2\x80\xa2   Procedures for restricting access to output products\n      \xe2\x80\xa2   Procedures and controls used for transporting or mailing media or printed output\n      \xe2\x80\xa2   Internal/external labeling for appropriate sensitivity (e.g., Privacy Act, Proprietary)\n      \xe2\x80\xa2   External labeling with special handling instructions (e.g., log/inventory identifiers)\n      \xe2\x80\xa2   Controlled access, special storage instructions, release or destruction dates\n\n\n\n\nOctober 6, 2004                                                                                               12\n\x0c                                                       Independent Evaluation of FTC Information Security Program\n\n\n\nFinding: ITM does not have general procedures for handling media containing sensitive data or\npersonally identifiable information for all its sensitive systems.\n\nThe FTC Administration Manual Chapter 1 Section 650 provides instructions on records management.\nMedia handling procedures were developed specifically for DNC. Yet, the OIG found in its review of the\nPremerger security plan that the plan does not display the sensitivity or classification of the document.\nFor example, aside from agency level guidance, there were no additional policies and procedures in place\nfor the FTC systems reviewed. On the other hand, the FFS security plan (developed and implemented by\nDOI) provides guidelines for handling the transfer of data as well as internal and external labeling.\nBasically, all FFS-related data is transferred directly between mainframes via secure transmission mode.\nIt also addresses storing, and destruction of media including hardcopy data when the media is spoiled or\nno longer needed.\n\nNot having information identified in the security plan as sensitive could lead to documents and storage\nmedia not being handled properly. This could result in the inadvertent release of sensitive or personally\nidentifiable information.\n\nRecommendation:\n\n         6. OIG recommends that ITM create system security plans that identify the sensitivity of the\n         information contained in the systems.\n\n\n7        Security Awareness Training\n\nFTC continues to show progress in training staff on IT security awareness. To date, 1,067 of FTC\xe2\x80\x99s 1424\npersonnel (F/T, P/T, students and consultants, all of whom were with the agency at some point in FY\n2004) have received security awareness training. Additionally, 25 of 34 of FTC\xe2\x80\x99s personnel having\nsignificant IT security responsibilities received specialized training. ITM told the OIG that it has recently\nbegun to identify staff who have not received training, and will provide the names of these individuals to\ntheir respective supervisors. Personnel without security awareness training are more likely to commit\nsecurity violations or be involved in activity that could threaten the security of the system because they\nare unaware of security policy and procedures.\n\nRecommendation:\n\n         There are no recommendations for this section.\n\n\n8        Security Incident Response\n\nOMB A-130 requires that agencies develop an incident response capability for their major applications\nand general support systems.\n\nThe FTC Computer Incident Response Team (CIRT) handles information security incidents. When an IT\nsecurity incident occurs, employees are instructed to contact the Help Desk. The Senior Agency\nInformation Security Officer is then notified. The CIRT then goes into action and tries to resolve the\nproblem. The Federal Computer Incident Response Center (FedCIRC) is notified when the incident is\nnew or drastically affects agency operations. If the event is of a criminal nature, the Office of the General\nCounsel is contacted for advice and to make a determination if law enforcement should be contacted. The\n\n\n\nOctober 6, 2004                                                                                               13\n\x0c                                                       Independent Evaluation of FTC Information Security Program\n\n\n\nIncident response policy includes notifying the designated OIG representative for internal security\nincidents where criminal activity is suspected and reported to law enforcement.\n\nThe Incident Response Policy provides step-by-step instructions on how to respond to a computer security\nincident. This process includes instructions for documenting the incident, assigning the event to an\nincident and assigning a security level to the incident. The next step in the process is to assign a handler to\nthe incident. The policy also addresses coordinating the incident response team, containing and eradicating\nthe problem and conducting a forensic analysis of the event. The policy also provides instructions for\nfollow-up with external organizations and creating technical and executive reports of the incident. There\nare also instructions on evidence handling.\n\nThe OIG also found that there are data integrity controls used to protect FFS data (a tested system) from\naccidental or malicious alteration or destruction. NBC uses a variety of controls including backups,\nbackground investigations, audit trail reviews, and the use of shrink wrapped COTS software or in-house\ndevelopment software on the server to protect its IT assets.\n\nRecommendation:\n\n         There are no recommendations for this section.\n\n\n9        Continuity of Operations Planning\n\nNIST SP 800-34 Contingency Planning Guide for Information Technology Systems states that changes to\nthe plan, strategies, and policies should be coordinated through the contingency plan coordinator, who\nshould communicate changes to the representatives of associated plans or programs as necessary. The\ncontingency plan coordinator should record plan modifications using a Record of Changes, which lists the\npage number, change comment and date of change. The Record Changes should be depicted in a table\nand should be integrated into the plan.\n\nNIST SP 800-34 also states that the plan must be in a ready state that accurately reflects requirements,\nprocedures, organizational structure, and policies. The contingency plan should be updated at least\nannually or whenever significant changes occur to any element of the plan. SP 800-34 states that Line of\nSuccession planning should be included in Continuity of Operations Plans and may also be included in an\nIT contingency plan. The order of succession defines who assumes responsibility for contingency plan\nexecution in the event that the highest authority (usually starting with the CIO) is unavailable or unable to\ndo so.\n\n\n9.1      Disaster Recovery Plan\n\nFinding: The DRP needs to be updated and modified.\n\nThe OIG found that the FTC has a tested Disaster Recovery Plan (DRP). The methodology used to\nevaluate the DRP was tabletop testing. The DRP addresses the recovery of FTC systems. Additionally,\nthe FTC responded to Homeland Security Presidential Directive (HSPD) \xe2\x80\x937 and submitted a\nmemorandum to OMB stating that the FTC has no resources that qualify as either critical Infrastructure or\nKey Resources. Aside from these positive developments, the OIG identified a few areas that need to be\nstrengthened.\n\n\n\n\nOctober 6, 2004                                                                                               14\n\x0c                                                     Independent Evaluation of FTC Information Security Program\n\n\n\nThe FFS security plan stated that a formal contingency plan has been completed, tested, and is in place for\nall supporting IT systems and networks. National Business Center, Products and Services (NBC/PS)\nBusiness Recovery Plan was completed in October 1999. A formal contingency plan, \xe2\x80\x9cNBC Computer\nCenter Continuity of Operations Plan (COOP)\xe2\x80\x9d has been implemented for the mainframe platform where\nthe production FFS application resides. A copy of the Business Recovery Plan is securely stored offsite.\nThe COOP is tested annually in September. The contingency/disaster recovery plans are tested every six\nto twelve months. According the security plan, it was tested in March, August, September 2003, and\nMarch 2004.\n\nThe emergency management team contact list contained in the FTC\xe2\x80\x99s plan is outdated and the plan does\nnot list a line of succession to assume authority for executing the plan. The DRP does not contain a\nrecord of changes, nor are the changes date stamped. This could create recovery problems and delays if\nteam members begin the recovery process with an outdated DRP. Not having an up to date emergency\ncontact list could lead to delays and problems in contacting team members when an emergency occurs.\nThis could lead to recovery delays. Not having an updated DRP could lead to mismanagement during the\nrecovery process as well as increased recovery costs.\n\nRecommendation:\n\n         7. OIG recommends that ITM Include a Record of Changes in the DRP, update the emergency\n         management contact list, and include a line of succession for leaderships in the DRP.\n\n\n9.2      Memorandums of Agreement (MOA) and Memorandums of Understanding (MOU)\n\nNIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems\nstates that \xe2\x80\x9c\xe2\x80\xa6memorandums of understanding (MOU), memorandums of agreement (MOA), or a Service\nLevel Agreement (SLA) for an alternate site should be developed specific to the organization\xe2\x80\x99s needs and\nthe partner organization\xe2\x80\x99s capabilities.\xe2\x80\x9d\n\nFinding: FTC needs to establish whether MOUs and MOAs with subcontractors are in place.\n\nThe FTC made progress in obtaining MOAs and MOUs. FTC currently has MOUs with the Department\nof Justice (DOJ) and AT&T Government Solutions, Inc. (GSI). FTC also has an MOA with the DOI for\nFFS. The Department of Treasury does not enter into MOAs with other agencies but it did provide FTC\nwith an Agency Guide to Access Control for Pay.Gov. However, ITM did not know if MOUs and MOAs\nwere in place with subcontractors, or whether they were even required. ITM is currently working with\nAT&T to determine the status of these agreements.\n\nNot having MOAs and MOUs in place with these subcontractors may lead to extended disruptions in\nservice should a system failure occur.\n\nRecommendation:\n\n         The OIG makes no recommendation as management has proceeded to check on selected\n         subcontractor agreements.\n\n\n\n\nOctober 6, 2004                                                                                             15\n\x0c                                                     Independent Evaluation of FTC Information Security Program\n\n\n\n10       Plan of Action and Milestones (POA&M)\n\nA POA&M, also referred to as a corrective action plan, is a tool that identifies tasks that need to be\naccomplished. It details the resources to accomplish the elements of the plan, milestones in meeting the\ntask and scheduled completion dates for the milestones. FISMA guidance states POA&Ms \xe2\x80\x9care the\nauthoritative agency management mechanism to prioritize, track, and manage all agency efforts to close\nsecurity performance gaps.\xe2\x80\x9d The POA&M should include all security weaknesses resulting from all\nreviews done by, for, or on behalf of the agency, including Government Accountability Office (GAO)\naudits, financial system audits and critical infrastructure vulnerability assessments. POA&Ms are to be\nsubmitted on a quarterly basis to OMB.\n\nITM has made significant progress in improving its POA&M management program this past year. A\nreview of the POA&M for fiscal year 2004 found that ITM is now tracking significant weaknesses from\nother security reviews and studies as well as from FISMA evaluations. Quarterly POA&M reports are\nbeing submitted to OMB on time. The FTC has improved its POA&M recording, tracking, correcting and\nreporting processes. The POA&M follows OMB format and includes performance measures. ITM also\nimproved its methodology for recording changes to milestones and corrective actions.\n\nThe OIG and ITM are now working together to review completed corrective actions on a quarterly basis\nto confirm that remediation actions actually correct the problem. Over the three quarters of FY 2004, the\nOIG verified that the FTC completed 25 corrective actions.\n\nDespite the progress ITM made in improving its POA&M management process and implementing\neffective corrective actions, there are still areas of the POA&M process that can be improved.\n\nFinding: ITM is marking corrective actions as complete before they are actually completed.\n\nOMB Guidance requires that agencies report the number of weaknesses for which corrective actions were\ncompleted on time (including testing) on December 15, March 15, June 15 and October 6. Over the past\nthree quarters of fiscal year 2004, the OIG determined six corrective actions were identified in the\nPOA&M as complete prior to their actual completion.\n\nPremature reporting of completed corrective actions was occurring because ITM based some of its\ndecisions to declare an action completed on the estimated completion dates of the tasks, and in some cases\nthese dates were overly optimistic. As OMB requires that quarterly reports be submitted prior to the last\nday of the last month of the quarter (for three quarters), ITM incorrectly assumed (on six items) that the\nactions would be completed. Additionally, ITM is not testing corrective actions to determine if the\ncorrective action is actually completed or is effective.\n\nOMB also requires agencies to submit quarterly update reports on their progress in correcting POA&Ms.\nUnlike the POA&Ms themselves which contain narratives, these status reports provide a quantitative\nmeasure of agency progress in tracking and correcting weaknesses. Because of the way ITM interpreted\nFISMA guidance and the way ITM reported corrective actions as completed prior to their actual\ncompletion date, the totals on the quarterly update reports are not always accurate. Additionally, the\nPOA&M sheet from the first quarter of the year did not contain all of the weaknesses identified from\nother security reviews and studies. This issue was addressed by the third quarter. ITM told the OIG that it\nwould adjust its procedures accordingly.\n\nThis problem arose because FTC misinterpreted FISMA POA&M reporting guidance. This has the effect\nof FTC inaccurately reporting POA&M status to OMB.\n\n\n\nOctober 6, 2004                                                                                             16\n\x0c                                                     Independent Evaluation of FTC Information Security Program\n\n\n\nRecommendation:\n\n         8. OIG recommends that ITM verify that projected corrective actions are indeed completed, and\n         if not reflect any adjustments on the next quarterly POA&M.\n\n\n11       Miscellaneous Findings\n\n11.1     Separation of Duties\n\nOMB A-130, appendix III requires that duties be separated to ensure that users only have access to those\nfunctions needed to do their job and individual accountability. Premerger, Infrastructure, and FFS all\nmaintain a separation of duties among users. The NBC identified two divisions as being primarily\nresponsible for the maintenance and support of FFS and the data center. The Finance Systems &\nOperations Division is responsible for the overall management of the FFS. The ADP Services Division is\nresponsible for the support of the data center environment it resides in. There are formal reporting lines\nwithin NBC to maintain separation of duties between key functions. The ADP Services Division is\nresponsible for security administration, planning and programs, computer operations, application\ndevelopment and maintenance, system software maintenance, and production control. The Finance\nSystems & Operations Division is responsible for application change management and production\ncontrol. Premerger relies on Oracle roles to maintain separation of duties and control what users can do\non the system. For Infrastructure, there is separation of duties between security personnel and system\nadministrators. Security personnel have limited access to system resources and must notify Infrastructure\nOperations when they need unlimited access to the system.\n\nRecommendation:\n\n         There are no recommendations for this section.\n\n\n12       Testing\n\n12.1     Internal and External Vulnerability Assessment\n\nScans and penetration tests were not conducted as part of the FISMA review this year due to the testing\nperformed last year by the OIG and because the FTC has taken steps to implement regular scanning of\ntheir systems. The assessment team felt that it would be counterproductive to run a scan while their\nscanning and remediation program is underway. However, the OIG plans to conduct scans in the\nupcoming year and continue to monitor ITM\xe2\x80\x99s progress in identifying, tracking and correcting\nvulnerabilities. To date FTC has:\n\n     \xe2\x80\xa2   Purchased and installed ISS Proventia scanning and Intrusion Detection System (IDS) tools\n     \xe2\x80\xa2   Conducted NESSUS scans on various systems\n     \xe2\x80\xa2   Developed and finalized a vulnerability scanning policy\n     \xe2\x80\xa2   Contracted Science Applications International Corporation (SAIC) to conduct scans of the\n         Demilitarized Zone (DMZ), Infrastructure network, and FTC applications\n     \xe2\x80\xa2   Developed a means to track the status of corrective actions\n\nReview of the vulnerability assessment scan indicated that scans were run on the following systems:\n\n\n\n\nOctober 6, 2004                                                                                             17\n\x0c                                                     Independent Evaluation of FTC Information Security Program\n\n\n\n    \xe2\x80\xa2    Infrastructure, (July 26, 2004)\n    \xe2\x80\xa2    Premerger (August 5, 2003, e-filing servers; May 6, 2004)\n    \xe2\x80\xa2    Demilitarized Zone Information Systems, (March 5, 2004)\n\nFinding: The Corrective Action Plan (CAP) does not always identify who was responsible for taking\naction or the planned and actual completion dates, (ii) is not standard across all of the systems, and\n(iii) is not being updated.\n\nReview of the two Premerger scans found that the August 5, 2003 scan did not contain IP addresses and\nonly addressed the e-filing module of Premerger. Therefore the later scan could not be compared with the\nearlier scan. In an attempt to determine if vulnerabilities are being corrected in a timely manner, the OIG\nevaluation team reviewed the CAP.\n\nThe CAP did not uniformly identify who was responsible for the corrective action or the planned and\nactual completion dates of the remediation. Therefore, it could not be confirmed if vulnerabilities\nidentified by the scans are being corrected. Review of the latest CAP also revealed that the format of the\nCAP is not standard across all of the systems.\n\nITM personnel stated that vulnerabilities are being corrected but the CAP is not being updated regularly.\nAdditional scan reports were requested but not provided by the close of fieldwork. The assessment team\nalso reviewed the VANTIVE ticket log for 2004 and found only one ticket for the removal of unnecessary\nservices on Unix systems. This ticket was marked as completed.\n\nRecommendation:\n\n         9. OIG recommends that ITM modify the CAP to include the name of the person responsible for\n         the corrective action as well as the planned and actual completion dates. In addition, the CAP\n         should be standardized across all systems, and kept up to date.\n\n\n12.2     Logical Access Controls\n\nOIG reviewed the system logical and managerial access controls implemented by ITM. The findings are\ndiscussed below.\n\nSystem Access Controls\n\nNIST SP 800-18 requires that systems employ logical access controls to designate who or what is to have\naccess to a specific system resource and the type of transactions and functions that are permitted. There\nare logical access controls over Infrastructure network access. By default, accounts are given access to\nareas within their organizational group. Additional access is provided by information system request\n(ISR) or Vantive ticket. The ISR requires approval by the person\xe2\x80\x99s supervisor and the Vantive ticket\nrequires approval by the data owner before access can be granted. There are logical access controls over\nnetwork access.\n\nLogical access controls for Premerger restrict the time of day, day of the week, and status of the\ntransaction when data can be entered. Roles within the Oracle menu also restrict users to authorized\ntransactions and functions. Network access is determined by what shares a person can access. Access to\nthe network is granted by Network Operations. Personnel have default access to certain areas of the\nnetwork. Other areas require need-based justification for access.\n\n\n\nOctober 6, 2004                                                                                             18\n\x0c                                                       Independent Evaluation of FTC Information Security Program\n\n\n\nAccording to the FFS security plan, there are controls in place to authorize and restrict the activities of\nusers and system personnel within the application. There are hardware and software features that are\ndesigned to permit only authorized access to or within the application. These features restrict users to\nauthorized activities. Connectivity to the FFS application is provided through the DOI limited network:\nSNA, TCP/IP, dial-up and VPN. Rights are granted by designated Security Points of Contact (SPOC).\nPrivileges are granted based on job function and job categories.\n\nIn conclusion, the OIG has determined that management has moved forward to gain control over system\naccess, an improvement over the prior year.\n\nRecommendation:\n\n         There are no recommendations for this section.\n\n\n12.3    Managerial Access Controls\n\nManagerial controls encompass decisions or actions by individuals to provide accounts to other\nindividuals to perform their job responsibilities while restricting access to information that is not needed\nfor that purpose.\n\nLimiting access to FTC systems continues to be a vulnerability for ITM. While ITM has made some\nimprovements in this area since the last FISMA review, e.g., ITM has revoked access privileges for\ndevelopers for select systems while consolidating responsibility for all production systems, the OIG noted\nthat departing staff are not always removed from access lists, and some reassigned IT staff can still access\nsensitive information they no longer need to access to perform their job-related responsibilities.\n\nThe OIG review covered two areas related to access controls. First, the OIG reviewed policies and\nprocedures to remove separating (departing) employees from FTC system access. Any accounts left open\nprovide another gateway into the system for hackers to use. To test these controls, we reviewed (i) LAN\n(GSS) and (ii) Premerger access controls.\n\nThe second area reviewed also involves deleting accounts, but for current staff. Oftentimes, staff is\nprovided access to select databases and /or systems only to have their requirements change as they move\nfrom one position, office or bureau to another within the agency. This often occurs with IT staff who, in\naddition to having technical skills and experience needed to navigate various IT platforms, software and\ndatabases, is often assigned administrator-level privileges on select systems. The OIG reviewed policies\nand procedures to control access for interagency transfers on the FFS / FPPS systems.\n\n(A) Removing Separating Employees - The FTC maintains a biweekly separation report detailing (full\ntime, part time and consultant) staff that have left the agency. In addition, the agency has a check out\nprocess that requires staff (either departing staff or their administrative officers) to alert the FTC Help\nDesk to the departure so that their system accounts can be terminated. These redundant processes provide\ninformation to systems managers to delete accounts for these employees.\n\nNotwithstanding the processes described above, the OIG observed internal control weaknesses that\npermitted individuals who have separated from the agency to maintain access privileges to one of the two\nsystems reviewed. The OIG identified 21 active LAN accounts belonging to separated employees that\nshould have been deleted.\n\n\n\n\nOctober 6, 2004                                                                                                19\n\x0c                                                      Independent Evaluation of FTC Information Security Program\n\n\n\nLAN Access - The FTC relies on a common IT infrastructure to support its major programs.\nConsequently, the level of security over the applications operated by these programs is derived, to a large\nextent, from the security controls employed in conjunction with the general support system. A major\ncomponent of the GSS is the LAN. If a LAN account is disabled, it is not possible to access other\nsystems through that disabled account.\n\nThe OIG compared the LAN access list as of 9/10/04 with the agency\xe2\x80\x99s separation report for FY 2004.\nIdeally, employees leaving the agency would have their access revoked on their last day of work at the\nagency. There were approximately 1,300 employees at the agency on 9/10/04. The OIG identified 152\nstaff that left the FTC between 10/3/03 and 8/7/04. There were 21 names appearing on both lists - e.g.,\nstaff that left the agency but were not removed from LAN access. The OIG provided the names to the\nnetwork administrator for removal.\n\nThe OIG was told by ITM that accounts that are not used for 30 days go dormant, and become\ninaccessible. If after an additional 30 days the accounts are still not accessed, then they are permanently\ndeleted. As a result, the most that an account should exist is 60 days. However, the OIG determined that\nthis control does not catch all departing employees as 20 of the 21 separated staff identified above had\nactive accounts for between two and ten months.\n\nThe OIG compared the Premerger access list with the separation report and found no exceptions. For the\nPremerger access list, ITM sends the program manager a list of staff who currently have access as of the\ndate of the list. The program manager then reviews the list and provides the names of staff who no longer\nneed account access back to ITM for deletion. This effort by ITM and Premerger appears to be effective.\n\nThe OIG believes that procedures in place to limit Premerger access are generally effective. On the other\nhand, network personnel should determine how LAN accounts of 20 former staff remained active for as\nmany as 10 months after these individuals left the agency.\n\nRecommendation:\n\n         10. OIG recommends that ITM determine why the control to eliminate accounts over 60 days\n         failed for the employees identified by the OIG as having active accounts over 60 days.\n\n         11. OIG recommends that ITM compare separation reports to a current list of staff with LAN\n         accounts monthly. (This search can be performed electronically.) Staff appearing on both lists\n         should be provided to the LAN manager for immediate deletion.\n\nNote: Subsequent to the close of fieldwork, ITM informed the OIG that seven of the 21 accounts were\nspeed dials for the former employees listed in a current employee\xe2\x80\x99s IP Phone address book, and one\naccount belonged to an employee who was still at the agency, even though he was identified as separating\non 12/31/03. The OIG did not validate this explanation.\n\n\n12.4     Controlling Access for Interagency Transfers\n\nThe OIG performed limited tests of employee transfers within the FTC (and NBC)2 to determine if access\nto the FFS or FPPS systems were still required, and whether individuals were removed when access was\nno longer required.\n\n2\n The Federal Financial System (FFS) and Federal Personnel and Payroll System (FPPS) are Department\nof Interior systems used by the FTC through DOI\xe2\x80\x99s National Business Center (NBC). FFS houses the\n\n\nOctober 6, 2004                                                                                              20\n\x0c                                                      Independent Evaluation of FTC Information Security Program\n\n\n\n\nThe OIG found that ITM, FMO and HRMO have failed to implement a policy of reviewing information\naccess to insure that FTC and NBC contractors and staff professionals do not have access to information\nonce they have been assigned to other duties.\n\nFor purposes of this discussion, there are two levels of access within FFS/FPPS. The first level enables\nusers to enter and change data. Users access the FFS mainframe directly to perform these transactions. On\n6/29/04 there were 18 FTC staff and 38 NBC staff with such access. (The FTC staff is primarily located\nin the financial management program area.)\n\nLevel 2 access does not permit the user to alter the data, rather it enables the user to view or access\ndownloaded data for the purpose of producing reports for management review (in effect, \xe2\x80\x9cread only\xe2\x80\x9d).\nReports include \xe2\x80\x9cFFS Detail\xe2\x80\x9d, Payroll, \xe2\x80\x9cPersBud\xe2\x80\x9d and \xe2\x80\x9cFTC Downloads.\xe2\x80\x9d On 6/29/04, there were 72\nFTC staff that were granted one or more role assignments to view or access downloaded data.\n\nThe OIG identified no FTC staff transfers requiring removal from level one access. This was expected, as\nITM told the OIG at the entrance conference that it was in the process of reviewing access permissions on\nall systems. However, we did identify five staff at NBC with access to FTC data that no longer were\nassigned to FTC accounts. The OIG provided the names to the NBC program manager responsible for\nFTC accounts who promptly deleted the names of these five from access to these accounts.\n\nThe OIG discussed account deletion policies and procedures with FTC\xe2\x80\x99s security point of contact\n(SPOC), the person responsible for, among other things, granting and revoking access, and assigning\ndifferent profiles to users depending on need. He told the OIG that he has no formal procedure to ensure\nthat the accounts of staff no longer needing system access are deleted. The SPOC told the OIG that he\nhas not deleted any names from FFS access in the two years he has performed these duties. Similarly, the\nSPOC for the FPPS database (timekeeper access and SF-50 processing) told the OIG that she relies on\nadministrative officers informing her of staff separations, but admitted that transfers often go unreported.\n\nAlthough we did not review transfers with Premerger, the program manger told the OIG that ePremerger\n(the new system that will replace Premerger for tracking HSR filings) will provide access to all within the\nBureau of Competition. The OIG believes that this runs counter to sound security practices. Access\nshould be limited to those employees with a demonstrated need.\n\nRecommendation:\n\n         12. OIG recommends that FFS and FPPS SPOC\xe2\x80\x99s establish procedures to review access lists\n         monthly to determine whether access lists are up to date. An email to the administrative officer\n         for all staff with access rights could quickly confirm the need.\n\n\n12.5      Access to Test Data\n\nITM has recently attempted to limit access to systems and databases only to those individuals who have a\nbonafide need to select systems. However, ITM has not removed access in select test databases (test),\n\nFTC\xe2\x80\x99s accounting system for travel and vendor payment transactions, while FPPS provides payroll and\nother select personnel services.\n\n\n\n\nOctober 6, 2004                                                                                              21\n\x0c                                                       Independent Evaluation of FTC Information Security Program\n\n\n\nwhich provide access to the same data as do the production databases (production). To understand the\nimportance of this failure, it is first necessary to understand test and production. The latter contain data\nthat is continually updated when transactions occur. Based on the production database for FFS, for\nexample, select staff is able to access the personnel information (pay level, awards information, social\nsecurity numbers) of FTC employees for the purpose of running reports for management. Test is used to\nmake alterations in the software that enables analysts to use the production data or to fix \xe2\x80\x9cglitches.\xe2\x80\x9d ITM\nwill copy the production database, which then becomes the test database.\n\nITM recently removed some of its developers from access to the production data because of its\nsensitivity. ITM also told the OIG that it will continue to limit access to its staff. However, ITM failed to\nperform this same review for staff with access to the \xe2\x80\x9ctest\xe2\x80\x9d database. Consequently, staff removed from\nproduction has access to identical data in test. While aged information is no longer sensitive in some\ndatabases, the same cannot be said for personnel information. The OIG believes that access between the\ntwo should be similarly controlled.\n\nThe OIG also noted that individuals with access to the test database also had special privileges that\nenabled them to view information freely. Specifically, any individual that has the Oracle role\napp_developer assigned has four important privileges that effectively make any individual that has this\nrole assigned to them a DBA. The Alter user privilege allows the user to alter any user password\nincluding SYS and SYSTEM. Using a series of commands that have been common knowledge among\nOracle users for many years, a user can change the SYS password, login as SYS and then change the SYS\npassword back so that the DBA would not know that the account was compromised. The second privilege\nis SELECT ANY TABLE. This privilege allows the user to view information in any table or view in the\ndatabase. GRANT ANY ROLE and GRANT ANY PRIVILEGE allow the user to grant any role or\nprivilege to any other user in the database including themselves. Combining the create user and grant any\nrole or privilege effectively provides the capability of creating a Trojan horse in the database for later use.\n\nThe OIG believes that there is no reason to assign a developer a \xe2\x80\x9ccreate user\xe2\x80\x9d privilege, yet this privilege\nis automatically given with the app_developer role. Just by virtue of needing access to one area in the\nFSS data warehouse, i.e., staff time & attendance (STAR) data, the user is given, by default, access to all\nFFS databases, to include personnel and payroll. For example, the privilege \xe2\x80\x9cselect any table\xe2\x80\x9d allows the\nuser to see any data from any table.\n\nRecommendation:\n\n         13. OIG recommends that the account manager ensure that staff has access only to those systems\n         it needs to perform work-related functions.\n\n         14. OIG recommends that the account manager limit privileges for those assigned the\n         app_developer role to areas of the database required for work-related performance.\n\n\n\n\nOctober 6, 2004                                                                                               22\n\x0c'